It's Time to Encrypt Your Email: Using the Browser

This is the next tutorial in a series focusing on encrypting your email. In thefirst tutorial, weintroduced the general concepts of encryption and how they can be used to secure and authenticate our emails. Inthe second tutorial, I guided you through installing encryption software on your computer and getting started sending your first messages; we usedGPGToolsfor Mac OS X, an integration of open sourceGnuPG. In the third episode, I introduced you to Keybase, a service designed to strengthen the Web of Trust.

In this tutorial, I'll guide you through using a browser-based plugin for encrypting and decrypting email for browser-based webmail such as Gmail. I'll also cover some of the vulnerabilities inherent in browser-based PGP solutions.

In addition to reading the earlier episodes, you may want to check out the Electronic Frontier Foundation'sSurveillance Self-Defense Guide.

In upcoming episodes, we'llexplore PGP solutions for smartphones andencrypting your Internet activities with use of a VPN. Finally, as part of the series onmanaging your digital assets after your death, we'll use what we've learned to create a secure cache of important information for your descendants in case of emergency.

Just a reminder, I regularly participate in the discussions below. If you have a question or topic suggestion, please post a comment below.You can alsofollow me on Twitter @reifmanoremail medirectly.

What's Mailvelope?

Now that we've begun using encrypted messaging, it makes sense to ask if we can use it from browser-based webmail such as Gmail. The short answer is yes, but not with the same level of security as application-based solutions.

Mailvelope is one such browser extension available for Chrome and Firefox. Its PGP engine is based on open-sourceOpenPGP.js.It offers built-in compatibility for Gmail, Yahoo Mail, Outlook.com and GMX.

But, as a browser-based solution, Mailvelope is vulnerable in a few different ways.The primary concern is hosting your private key in the browser. Mailvelope encrypts your key with a passphrase. Thus, the encrypted package is subject to online theft just like any other browser-based data.Mailvelope recommends a strong password like the ones this Intercept article suggests:

Given the scenario that an attacker is able to steal the private key, the resilience against brute-force attacks on the encrypted private key depends on the quality of the password.

Mailvelope also says that, "if one of the computers on both sides of the communication is compromised (e.g. with akey logger) encryption won't help."

Last summer, Google announced its own PGP extension for Chrome called End to End, but it's not ready for prime time—probably for some of the same reasons. It's currently in alpha release as they seek to improve its security capabilities. You can get the code at GitHub. I presume Google will add some functionality to Chrome to store the private key more securely, hopefully in a way that third-party developers, such as Mailvelope, can also benefit from.

Getting Started With Mailvelope

To begin with Mailvelope, we need to add the extension toChromeorFirefox. When you click on the Chrome extension link, you'll see something like this:

Installation for me was quite quick—no need to restart. You'll see the icon to the upper right of the browser window for the extension's navigation and status:

The Mailvelope main page should come up right away as well:

To continue, we need to import our public and private key.

Import Your Key Pair

If you've followed along with our earlier tutorials, you're already using a key pair. If you need to generate a new key pair, Mailvelope will do that for you.

In my case, I want to import my existing key pair. To do this, click theImport Keys button and paste your public key in and submit it:

Repeat the process with your private key.

You should see something like this underDisplay Keys:

If you click on the key, you can see more information and manage details about it:

Sending an Encrypted Message

Sending messages with Mailvelope is easy, but you do need to import public keys for any intended recipients. Just obtain the trusted public keys for your recipient, like mine at Keybase, and follow the steps above to import them into your Mailvelope keyring.

Then, in Gmail, compose a new message. Notice the small popup to the lower right.

Clicking the popup will display the Mailvelope encrypted message form:

Type your secret message and clickEncrypt. Mailvelope will ask you to specify the public key to use for the encryption. I'm sending this to my friend Phillip—a colleague who has a great write up on PGP encryption for journalistsand encouraged me to write about these topics. Choose the recipient and clickAdd:

Mailvelope will encrypt the message. Just clickTransfer, which pastes the PGP message back to the Gmail compose window.

It's nice being able to easily combine plaintext messages and secret encrypted messages inside one Gmail message.

Receiving an Encrypted Message

When you receive an encrypted message, Mailvelope will display a semi-transparent overlay over the message.

Click the overlay and you'll be asked for your passphrase to unlock your private key. Make sure no one is looking over your shoulder—think Citizenfour, blanket-covered Snowden.

ClickOK and your secret message will appear. Of course, I've blacked it out because I don't want to embarrass Phillip for complaining I don't give him enough credit for suggesting article topics (Mailvelope wasn't his idea, by the way, but a few of the others in this series were—but I digress).

What's Next?

I hope you're impressed with Mailvelope. I found it to be pretty simple and useful.You can learn more about it in their documentation and FAQ pages. If you give it a try, be sure to use a very secure passphrase(does anyone still have dice, seriously?).

Please feel free to post your questions and comments below. You can also follow me on Twitter @reifmanoremail medirectly.Browsemy Tuts+ instructor pageif you'd liketo see other tutorials I've written.

Related Links

• It's Time To Encrypt Your Email: An Introduction (Tuts+)
• It's Time To Encrypt Your Email: Using GPGTools (Tuts+)
• It's Time To Encrypt Your Email: Using Keybase (Tuts+)
• Using a VPN for Internet Privacy and Security (Tuts+)
• An Introduction to Public Key Cryptography and PGP (EFF)